Wednesday, August 29, 2012

In FIM the Initial Flow Only setting isn’t named very well. A better name would have been “During Provisioning Add Only”. This flow selection only occurs on a provisioning add, and not the first time a Sync Rule flow is invoked.

This has both positive and negative benefits.

On the positive side an initial flow of a default password won’t reset the passwords of all existing users that come in to the metaverse from an import on your AD MA.

On the negative side there is no other built in mechanism to perform a one-time action. For example, during user deprovisioning a flag gets set in the metaverse that causes my users to transition from the “active” sync rule to the “delete pending” sync rule. I would love to be able to set a random password one time so that if the account needs to transition back to active then the previous password no longer works. (We will reactivate accounts to allow managers to have access to their departing employee’s data and I need to ensure the employee does not continue to know a password that functions, and a separate process outside of FIM sync lets the manager set a usable password after the account is reactivated.) But attempting to check the Initial Flow Only checkbox on the unicodePwd flow results in an error message “This Synchronization Rule cannot contain initial flows: To create an initial flow, please enable object creation for this Synchronization Rule and remove any dependency on another Synchronization Rule.” Enabling object creation allows the Initial Flow Only checkbox to be checked, but still won’t cause the flow to happen because the user already exists. Hence my realization that the name is not fully descriptive of its functionality.

So as a compromise I left the random unicodePwd flow as a persistent flow. The only downside to this is that any Full Sync will recalculate a new random password, and even in scenarios where no other data has been changed, new Export Attribute Flows will be created that include the newly randomized password. This makes for some fun debugging when you aren’t expecting it. Since unicodePwd doesn’t show up in the GUI when reviewing a pending export, it looks like an export is being created that has no changes in it.